IoT vulnerabilities encompass the various risks associated with Internet of Things (IoT) devices and networks, including unauthorized access, data breaches, and hardware attacks, and other security risks. As IoT adoption grows, so does the likelihood of exploitation, with compromised devices becoming a significant vector for attacks. Highlighting the urgent need to address these IoT vulnerabilities effectively.
In the UK, proactive measures have been implemented to mitigate IoT vulnerabilities, substantially reducing related hardware risks. Hardware-based attacks frequently involve perpetrators gaining physical access to organizations, and the interconnected nature of IoT devices facilitates such access, making these attacks more achievable. Once a device is compromised, it can become part of a broader attack, leading to a breach of the network.
In late 2021, the British government introduced the Product Security and Telecommunications Infrastructure Bill (Act 2022). This legislation aims to enhance the security of IoT devices and other connected technologies. With approximately 30 billion IoT and smart devices currently in use worldwide—and this number continually growing—there are substantial IoT vulnerabilities that must be addressed. Notably, a staggering 100% increase in IoT breaches occurred in the first half of 2021 alone. To combat these issues, the bill seeks to implement security requirements for all manufacturers, importers, and distributors of IoT devices.
IoT Cybersecurity Standards
Within 12 months, all manufacturers, importers, and distributors of IoT and smart devices must meet the following cybersecurity standards to mitigate IoT vulnerabilities and associated security risks:
- Ban on Universal Default Passwords
Manufactures can no longer use universal, default passwords such as “password”, “admin” or “user”. These passwords are easy to guess and are exploited by attackers who take over the device. “Basic cyber hygiene, such as changing default passwords, can go a long way to improving the security for these types of devices”, says Rodolphe Harand, managing director at YesWeHack. - Simplified Vulnerability Reporting
Manufactures are to provide a public point of contact for vulnerability reporting. Doing so will make vulnerability reporting easier for researchers, who often discover security flaws. The efficiency of vulnerability reporting is key to ensuring that the bug gets patched before getting exploited by hackers. Currently, only 1 in 5 manufactures maintain systems for disclosing security vulnerabilities. - Transparency into Security Updates
Customers must be informed, at the point of sale, about the length of time their device(s) will receive security updates. Research by University College London found that out of 270 products tested, none displayed this information at point of sale or in any accompanying paperwork. As a result, buyers were unaware of when their devices lacked the most recent security features.
Failure to comply will result in a fine of up to £10 million or 4% of the organization’s global turnover. In the case of ongoing incidents, companies will get fined up to £20,000 per day.
IoT Cybersecurity Risks
IoT devices expand the attack surface, acting as an entry point for attackers looking to infiltrate a network. The connected nature of IoT devices allows for deeper penetration through lateral movement. With insufficient protection, IoTs are often exploited by hackers who target devices with the lowest security standards. Unsuspecting devices, such as smart printers and coffee machines, often provide network access, making them prime targets for cyber-attacks (UK telecom bill).
The mobility of many IoTs increases their accessibility as they get used in unsecure environments. Remote usage also broadens the attack surface beyond traditional boundaries. Bad actors can gain physical access to IoTs more easily in public settings than in secured workplaces. Physical layer security restrictions imposed by most organizations make it challenging (although not impossible) for malicious actors to walk into the office building and attach a Rogue Device to an IoT. Public spaces, however, have nearly no access controls. And, through simple social engineering techniques, cybercriminals can have employees unwittingly attach a Rogue Device to their IoT.
The shift to teleworking means that smart home devices also pose significant IoT security issues for organizations. Employees working from home often connect their work devices to the same network as their smart devices, allowing the latter to compromise the former. With an average of 9 smart devices in every UK home, attackers have ample opportunities to exploit smart home devices using hardware attack tools. Research by Which? found that smart home devices were targeted more than 12,000 times in just one week.
Consumer Awareness of IoT Vulnerabilities
Despite the evident IoT vulnerabilities, consumers are often unaware of the risks, mistakenly assuming that devices are safe, especially when opting for cheaper options. Julia Lopez, UK Minister for Media, Data, and Digital Infrastructure, highlights this problem: “Most of us assume if a product is for sale, it’s safe and secure. Yet many are not.”
Addressing IoT Vulnerabilities
While the UK’s Product Security and Telecommunications Infrastructure Bill aims to reduce IoT-related security risks and cyber attacks, it alone cannot eliminate them. Both the public and private sectors must continue to prioritize IoT security, recognizing the ongoing threats posed by attackers seeking to exploit vulnerabilities. Security awareness and proactive security measures are essential to minimizing risks related to cybercrime and other cyber attacks.
Endpoint and Network Security
Sepio’s Asset Risk Management platform empowers enterprises to tackle IoT security issues head-on, starting with physical layer visibility. By calculating a digital fingerprint of all IT, OT, and IoT assets, Sepio’s solution accurately detects and identifies each device within your infrastructure. Its comprehensive policy enforcement mechanism, combined with Rogue Device Mitigation capabilities, promptly blocks unapproved or rogue hardware, preventing hardware-based attacks. With Sepio’s solution in place, you gain complete control and visibility over all devices operating within your infrastructure, strengthening your IoT security posture and adherence to internal security policies.
Safeguard your enterprise from the rising threats of cyber attacks, hacking, and IoT vulnerabilities. Enhance your IoT security, protect your critical infrastructure, and discover the power of Sepio’s Asset Risk Management platform.
See every known and shadow asset. Prioritize and mitigate risks. Schedule a demo to understand how to leverage Sepio’s patented technology to gain control of your asset risks.